[Emerging-Sigs] Kuriyama Loader

Travis Green tgreen at emergingthreats.net
Fri Jan 26 06:37:09 HST 2018


Thanks! We'll get this in QA for today's release.

-Travis

On Thu, Jan 25, 2018 at 3:18 AM, Attack Detection <
attackdetectionteam at gmail.com> wrote:

> Hi, Kuriyama bot here.
> Translation of the description from the seller's website:
> Kuriyama is a multifunctional experimental loader that uses the Telegraph
> as a control panel. The idea of creating a similar I picked up in botnets,
> focusing on youtube, twitter, etc. When using a telegraph, you do not need
> to bother with anonymity, setting up the VPN, hosting, domains and other
> slag. The post of the telegraph will be tied to your hardware and you will
> not be able to reconnect the build without agreement with me.
>
> Signature:
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "ET TROJAN
> [PTsecurity] Kuriyama Loader Checkin";flow: established, to_server;
> content: "?hwid="; http_uri; content: "&group="; http_uri; fast_pattern;
> content: "&os="; http_uri; content: "&cpu="; http_uri; content: "GET";
> http_method;  content:!"Referer|3a|"; http_header;
> metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit,
> attack_target Client_Endpoint, deployment Perimeter, signature_severity
> Major, created_at 2018_01_25, malware_family botnet, malware_family
> loaders, performance_impact Moderate, updated_at 2018_01_25; classtype:
> trojan-activity; metadata: id_462921,created_at 2018_1_25; sid: 10002482;
> rev: 1;)
>
> Links:
> Page(ru) https://darkwebs.ws/threads/41806/
> Pcap: https://www.dropbox.com/sh/78kmpbf29yrdpbq/
> AADI55uuJg5wxhkfzNlqP8IMa?dl=0
> VT: https://www.virustotal.com/en/file/2cb01f61d24400c4a868e4a836019f
> f33588336bb6c611511fe3248aa3205d6b/analysis/
> HA: https://www.hybrid-analysis.com/sample/2cb01f61d24400c4a868e4a836019f
> f33588336bb6c611511fe3248aa3205d6b/?environmentId=100
>
> Best regards, John.
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180126/3b57e0c7/attachment.html>


More information about the Emerging-sigs mailing list